Europol has detained several people believed to be involved in a botnet operation as part of a follow-up to a major takedown last year.
Following the Operation Endgame investigation, major malware droppers including IcedID, SystemBC, Pikabot, Smokeloader and Bumblebee, were shut down last year.
According to Europol, analysis of the contents of a seized database enabled it to identify customers of the SmokeLoader pay-per-install botnet, operated by an individual known as ‘Superstar’.
The law enforcement agency has now made arrests, carried out house searches, and conducted arrest warrants or ‘knock and talks’.
"Superstar used his botnet to run a pay-per-install service, enabling customers to gain access to victims’ machines. Customers used the service to deploy malware for their own criminal activities," Europol said.
"Investigations revealed that botnet access was purchased for a range of purposes, including keylogging, webcam access, ransomware deployment, cryptomining and more. Law enforcement tracked down the customers as they were registered in a database seized during Operation Endgame."
The malware had infected millions of computers around the world, according to the FBI. SystemBC facilitated anonymous communication between an infected system and a command-and-control servers.
Meanwhile, Bumblebee was distributed mainly via phishing campaigns or compromised websites, and was designed to enable the delivery and execution of further payloads on compromised systems.
SmokeLoader was mainly used as a downloader to install additional malicious software onto the systems it infected. Similarly, IcedID - also known as BokBot - had been further developed to carry out a range of crimes as well as the theft of financial data.
Europol hails success of largest botnet takedown
As part of last year's operation - the largest ever against a botnet - more than 100 servers were shut down or disrupted and over 2,000 internet domains tied to the hacking activities were seized.
But while last May's activities were focused on the high-level players who were using ransomware, for example, this latest set of raids is designed to mop up the customers of Cybercrime as a Service providers.
Law enforcement agencies in several countries were able to link online personas and their usernames to actual individuals.
"When called in for questioning, several suspects chose to cooperate with the authorities by facilitating the examination of digital evidence stored on their personal devices," Europol said.
"Several suspects resold the services purchased from SmokeLoader at a markup, thus adding an additional layer of interest to the investigation."
Europol said it’s not quite finished yet, either. The law enforcement agency is still investigating possible leads, revealing it has more suspects in the crosshairs.
MORE FROM ITPRO
- Botnets are being sold on the dark web for as little as $99
- Cobalt Strike abusers have been dealt a hammer blow
- The Zservers takedown is another big win for law enforcement
-
Trump's AI executive order could leave US in a 'regulatory vacuum'News Citing a "patchwork of 50 different regulatory regimes" and "ideological bias", President Trump wants rules to be set at a federal level
-
TPUs: Google's home advantageITPro Podcast How does TPU v7 stack up against Nvidia's latest chips – and can Google scale AI using only its own supply?
-
Chinese hackers are using ‘stealthy and resilient’ Brickstorm malware to target VMware servers and hide in networks for months at a timeNews Organizations, particularly in the critical infrastructure, government services, and facilities and IT sectors, need to be wary of Brickstorm
-
The Scattered Lapsus$ Hunters group is targeting Zendesk customers – here’s what you need to knowNews The group appears to be infecting support and help-desk personnel with remote access trojans and other forms of malware
-
Shai-Hulud malware is back with a vengeance and has hit more than 19,000 GitHub repositories so far — here's what developers need to knowNews The malware has compromised more than 700 widely-used npm packages, and is spreading fast
-
The US, UK, and Australia just imposed sanctions on a Russian cyber crime group – 'we are exposing their dark networks and going after those responsible'News Media Land offers 'bulletproof' hosting services used for ransomware and DDoS attacks around the world
-
Europol hails triple takedown with Rhadamanthys, VenomRAT, and Elysium sting operationsNews The Rhadamanthys infostealer operation is one of the latest victims of Europol's Operation Endgame, with more than a thousand servers taken down
-
Hackers are using these malicious npm packages to target developers on Windows, macOS, and Linux systems – here’s how to stay safeNews Security experts have issued a warning to developers after ten malicious npm packages were found to deliver infostealer malware across Windows, Linux, and macOS systems.
-
Cisco ASA customers urged to take immediate action as NCSC, CISA issue critical vulnerability warningsNews Cisco customers are urged to upgrade and secure systems immediately
-
Hackers are disguising malware as ChatGPT, Microsoft Office, and Google Drive to dupe workersNews Beware of downloading applications like ChatGPT, Microsoft Office applications, and Google Drive through search engines
